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AMENDMENTS TO THE CLAIMS : 

This listing of claims will replace all prior 
versions, and listings of claims in the application: 

LISTING OF CLAIMS : 

1-9. (canceled) 

10. (new) A network attack detection system, 
characterized in that a header of packet in transmission is 
examined and the values of one or more pre-speci f ied fields in 
the packet header are observed, and in case the number of 
distinct values observed in the pre-specif ied fields reaches a 
pre-specif ied threshold within a pre-specif ied time interval, it 
is judged that an unauthorized attack is in progress, and this 
judgment is carried out based on either of the following 
conditions : 

(a) N(t) is the number of distinct values of the field 
observed within a pre-specif ied time interval from time t, N(t x ) 
is the number of distinct values of the field observed within the 
pre-specif ied time interval from some time ti and if the ratio of 
N(t) to N(ti) is greater than, or equal to, some pre-specif ied 
threshold ki, that is, if N(t)/ N(ti) > k x , the system will judge 
that an attack is in progress; 

(b) P(t) is the number of packets in transmission 
within the pre-specif ied time interval from some time t, and if 
the ratio of the number of N(t) to P(t) is greater than, or equal 
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to, some pre-specif ied threshold k 2 , that is, N(t)/P(t) > k 2 , the 
system will judge that an attack is in progress; 

(c) P(ti) is the number of packets in transmission 
within the pre-specif ied time interval from some time ti, and if 
the ratio of the coefficient computed in (b) above for the time t 
to that computed for the time tl, {N(t)/P(t)} / {N ( ti) /P ( ti) } , is 
greater than, or equal to, some pre-specif ied threshold k 3 , that 
is, {N(t)/P(t)} / {N (ti) /P (ti) } > k 3 , the system will judge that 
an attack is under progress; 

(d) T(t) is the number of octets or bits in the packets 
in transmission within the pre-specif ied time interval from some 
time t, and if the ratio N(t) to T(t) is greater than, or equal 
to, some pre-specif ied threshold k 4 , that is, N(t)/T(t) > k 4 , the 
system will judge that an attack is in progress. 

11. (new) The network attack detection system according 
to claim 10, characterized in that arbitrary combinations of two 
or more header fields are allowed, and the number of distinct 
values observed for the resultant composite field is used to 
compute the coefficient which is compared against the threshold. 

12. (new) The network attach detection system according 
to claim 10, characterized in that it is inferred that an illegal 
attack is underway when the Time To Live (TTL) value in the 
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header field of a packet does not lie in the range of the values 
seen beforehand for the source address in the header of packets. 

13. (new) A network attack detection system, 
characterized in that it is judged that an illegal attack has 
taken place by observing the values of the packet header fields, 
and when the number of distinct values seen in a combination of 
two or more header fields exceeds a pre-specif ied threshold value 
within a pre-specif ied time, it is judged that an attack is in 
progress . 

14. (new) The network attack detection system according 
to claim 13, characterized in that judgment is made that an 
attack is in progress, if the Time to Live (TTL) value in the 
header of the packet does not lie in the range of the values seen 
beforehand for the source address in the header of the packet. 

15. (new) The network attack tracking system according 
to claim 10, characterized in that a source of the unauthorized 
attack is searched by setting these systems at various places on 
the Internet . 

16. (new) The network attack tracking system according 
to claim 11, characterized in that a source of the unauthorized 
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attack is searched by setting these systems at various places on 
the Internet. 

17. (new) The network attack tracking system according 
to claim 12, characterized in that a source of the unauthorized 
attack is searched by setting these systems at various places on 
the Internet. 

18. (new) The network attack tracking system according 
to claim 13, characterized in that a source of the unauthorized 
attack is searched by setting these systems at various places on 
the Internet. 

19. (new) The network attack tracking system according 
to claim 14, characterized in that the source of the unauthorized 
attack is searched by setting these systems at various places on 
the Internet. 

20. (new) A method of detecting a network attack, 
comprising the steps of: 

examining a pre-specif ied field in a header of a packet 
in transmission for distinct values; and 

determining that an unauthorized attack is in progress 
based on an observed number of distinct values in the examined 
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pre-specif ied header field reaching a pre-specif ied threshold 
within a pre-speci f ied time interval, wherein, 

the determination includes that at least one of the 
following conditions is satisfied 

(a) N(t) is the number of the distinct values of the 
field observed within the pre-specif ied time interval from some 
time t, N(ti) is the number of distinct values of the field 
observed within the pre-specif ied time interval from some time ti 
and the ratio of N(t) to N(ti) is greater than, or equal to, a 
pre-specif ied threshold ki, that is N(t)/N(ti) > ki, 

(b) P(t) is the number of packets in transmission 
within the pre-specif ied time interval from some time t, and the 
ratio of N(t) to P(t) is greater than, or equal to, some pre- 
specif ied threshold k 2 , that is, N(t)/P(t) >_ k 2 , 

(c) P(ti) is the number of packets in transmission 
within the pre-specif ied time interval from the time ti, and the 
ratio of the coefficient computed in (b) above for the time t to 
that computed for the time tl, {N(t)/P(t)} / { N ( ti) /P ( ti) } , is 
greater than, or equal to, some pre-specif ied threshold k 3 , that 
is, {N(t)/P(t)} / {N(ti) /P(ti) } > k 3 , and 

(d) T(t) is the number of octets or bits in the packets 
in transmission within the pre-specif ied time interval from some 
time t, and the ratio N(t) to T(t) is greater than, or equal to, 
some pre-specif ied threshold k 4 , that is, N(t)/T(t) > k 4 . 
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21. (new) The method of claim 20, wherein, 

said examining step examines a resultant composite 
field comprised of arbitrary combinations of two or more of 
header fields, and 

the number of distinct values observed for the 
resultant composite field is used to compute the coefficient 
which is compared against the threshold. 

22. (new) The method of claim 20, comprising the 
further steps of: 

from an examined packet, inferring that the 
unauthorized attack is underway when a Time To Live (TTL) value 
in the pre-speci f ied field of the examined packet is outside a 
range of the values seen beforehand for the source address in the 
header of the examined packet, and 

after determining that the source address in the header 
of the examined packet is legitimate, detecting the unauthorized 
attack based on whether the Time To Live value is within a pre- 
specified range of the expected Time To Live value for the source 
address. 

23. (new) The method of claim 20, wherein, 

said examining step is performed at various places on 
the Internet. 
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24. (new) A method of detecting a network attack, 
comprising the step of: 

observing values of packet header fields and upon 
observing that a number of distinct values seen in a combination 
of two or more header fields exceeds a pre-specif ied threshold 
value within a pre-specif ied time, judging that an unauthorized 
attack is in progress. 

25. (new) The method of claim 24, wherein, 
observing a Time To Live value in the packet header and 

judging the unauthorized attack is in progress upon the observed 
Time To Live value being outside a range of the values seen 
beforehand for the source address in the packet header. 

26. (new) The method of claim 24, wherein, 

said observing step is performed at various places on 
the Internet. 
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